Pages

Tuesday, October 8, 2013

First, I'm a big fan of amazon mp3. They offer high-quality DRM-free music that plays on anything and often at very competitive prices. And they make it very easy to spend a good amount of money and get some quality music. Their suggestions and free content have also been where I've discovered lots of new artists, such as ZZ Ward.

But I absolutely abhor shopping for mp3s on my mobile phone on Amazon's mp3 app. Their interface on mobile only gives you these features:

Search

Recommendations

Bestsellers

New Releases

Genres

And some individual highlights, such as a $0.69 song, Latin song, Hot Single, one Free Song, a $5 album, a Song of the week, and an Album of the week

Amazon mp3 store in Chrome on Android

Amazon mp3 Android UI

Amazon mp3 desktop website

All of the categories let you view by Album or Songs. And one of the first annoying things is that there is an arbitrary limit of 100 items in each of the categories. What song/album is the 101st New Release? What if I want to keep shopping down the list? What if I own or don't care about the top 100?

Grievance list:

100 item arbitrary limit, regardless of the category, with no way to keep scrolling for more. Although I do see that even the desktop site caps the list at this arbitrary number. Lame x 2.

No way to view song/album reviews, other than a static star-list. This is one of the highlights of the Amazon mp3 experience on the desktop that I find most useful (and often entertaining).

No way to rate songs/albums on mobile. Oops, a prerequisite for contributing (or benefiting) from the crowdsourced content is that you must first go to Amazon and buy a PC.

No access to the sub-lists within the category. One of my favorites has been the Top 100 Free lists. Another fun one is their monthly $5 albums list. I've found some great artists just perusing those lists. But sadly, on mobile you have no inkling they even exist. At least their HTML website on mobile has those (but even then the UI takes many cues from the mobile application).

No child lock. At least Amazon VOD on my Roku has a PIN code that I need to enter before purchasing videos to keep my kids from draining my bank account. Be careful who you give your phone to!

What you miss out on from the desktop site:

Hot New Releases

Movers & Shakers

Top Rated (another failure to enable social media to help drive sales)

Featured Albums, Editor's picks, Artists on the rise, etc. (no ability to take advantage of Amazon's music buyer curation, which is quite good. I've found lots of good music that way)

Customers who viewed/purchased X also viewed/purchased Y

All of the "deals" lists. You get only a light mist of them.

No wish list integration. Where's a list of the music on my wish list? Can I add an item to my wish list rather than just buy it now?

Lack of a Play All button to play all samples. The desktop site has it. You somehow have to know that it will automatically play all (but this doesn't give you a choice to listen to one without listening to all)

Lack of larger cover art.

I gave their HTML website a whirl in Chrome on Android and, although better in a few areas, it still has some of the annoying limitations that drive me back to a PC (the most annoying is when the _functionality_ of the site is artificially pruned, so you don't even know it exists). I would love to get rid of my PCs and have nothing but tablets, but all too often the mobile experience on apps is completely butchered and hobbled to the point where you often have no choice but to fake a desktop browser or just open up the laptop. But I digress.

What they did right:

Long-press context menu on an item lets you "Shop album" or "Shop artist". Nice way to explore "more"

Music previews good quality and have continuous play for sampling

Convenient to quickly purchase songs/albums you just heard.

I could rant about the cloud player annoyances, but they are far fewer.

Where Google Play Music Store on Android shines:

Clean, intuitive UI with swipe interaction model

Infinite scrolling lists of Top Albums, Top Songs, even Recommendations, etc.

Wish list integration

Free-music lists

Personalized recommendations right on the home screen based on genres and artists in your existing collection

Video integration

Clear Play All button to play all samples.

Larger thumbnails and ability to click and see a larger version you can actually see

You can read the reviews!!! And contribute your own. And moderate the reviews.

Integration with Google+ for sharing/liking content. Would be nice if there were other options than Google+ though.

Integration with Android Share to send via twitter, email, etc.

Parity with the desktop site (it's the same thing, only with more real-estate)

Google Play Music Desktop site

Google Play Music App on Android

Google Play Music is rather annoying for purchases, especially forcing you to go through the same workflow for free songs as if you were "buying" them (really works to discourage "buying" multiple Free tracks, which may have been a business requirement -- I don't know). Too many clicks (even on the desktop).

At this point, what I would wish for these things to be fixed:

Update the UI to take advantage of mobile capabilities and gestures. Swipe from tab to tab to fluidly navigate

Remove the 100 item cap and make everything infinite scroll lists.

Abandon the "mobile crippleware" design strategy that so many have fallen in love with and maintain parity with the desktop site for accessing all of the same content. If you are concerned about UI bloat, there are ways of handling that (just look at Google's approach for one). I prefer to have the options available _somewhere_ even if hidden in another menu somewhere.

If you can't get the functionality into the mobile app, at least enable links into the mobile web version of the site from the Android app to allow for accessing the functionality

Remove the "mobile crippleware" design strategy on the mobile website to also maintain parity with the desktop site.

Take advantage of the curated content to drive sales!

Take advantage of user feedback and your preferences engine that works rather well on the desktop site to enable social exploration of other users who may have similar tastes to discover new music.

Enable social integration. I've often wanted to share a song I just heard or a playlist publicly but cannot

Push notifications could be employed in a limited way (ideally, fully user customizable) to notify when the new $5 list of albums are out, new free songs, highlighted curated content, etc. I'd sign up for them.

Here's an idea, since you have access to the Android media list, you could maybe actually recognize in the UI when I've already purchased a given album/song (either from Amazon or elsewhere). You don't even do that for stuff in my Cloud Player for some strange reason.

Wednesday, September 25, 2013

White people seem to love them some waterfront property in Seattle. This is fascinating. Go check out your neighborhood on the map. There are clearly pockets of similar ethnicity divided by street boundaries.

Wednesday, September 18, 2013

As I've used Twitter more, I've noticed how many of the shared URLs are shortened. And to think that the Library of Congress is archiving all US tweets, how many will actually be usable at some point in the future? Hopefully their process logs the resolved actual URL instead of the shortened one. When I restored my blog, it was amazing how many broken links I found. I stopped fixing them. That's just the regular web. Adding URL shortening is another level of indirection that is also another failure point.

As an information security guy, there's another downside and that is just how secure are the shortened URLs now and long into the future from malicious redirection, including information warfare? Shortened URLs give a single entity enormous power into the future to do some pretty bad stuff. And I was wondering about the choice of Top-Level Domains (TLDs) that are used for URL shortening services. Just how stable are those politically? What kind of information warfare opportunities are there? Which URL shorteners have better security properties given all of the possible attack vectors? How powerful a political statement would it be if all of the shortened URLs were replaced by a political statement or terrorist threat for almost everything referenced on Twitter? You'd be able to gather a lot of eyeballs and press by doing that to get your message out.

bit.ly and ow.ly - both very popular on Twitter (as well as several others using .ly). The LY top-level domain is controlled by Libya. I can't see a problem with them controlling where my links go now or sometime in the future, do you? Information warfare, anyone? Libya is on the US State Department's list of travel warnings, with this summary of the stability of the region, "The security situation in Libya remains unpredictable. Sporadic episodes of civil unrest have occurred throughout the country."

su.pr - Stumbleupon's url shortener service. The PR TLD is Puerto Rico, an unincorporated US territory. So it probably would be more likely to have reasonable protection from information warfare except of course at the behest of our own US government.

goo.gl - a newer entrant, run by Google. The GL TLD is Greenland, which is part of the Kingdom of Denmark. Interestingly, Denmark is "frequently ranked as the happiest country in the world in cross-national studies of happiness", Wikipedia

is.gd - A service that has an interesting terms of service about being an ethical URL shortener. The GD TLD is actually Grenada The world bank publishes XML data apparently that includes probability of political instability/terrorism for various countries, including Grenada. The current data shows a measure of the Political Stability and Absence of Violence (PV) – "capturing perceptions of the likelihood that the government will be destabilized or overthrown by unconstitutional or violent means, including politically-motivated violence and terrorism." of 0.44. However, the USA's data is continuing up and also has a 0.54. Earlier this year, the .gd domain and two others were also hijacked due to a dispute over control ov"er the TLDs.

tr.im - a shortening service that shut down in 2009 (but appears to possibly be back?)

Given these factors, I'd first suggest you run your own shortener service if you want full control and assurance of longevity (assuming you can build and operate such a thing securely). But if you had to pick a service, I'd go with a service running on a stable TLD registrar not likely to be subject to political wills of the host country and hosted by a company not likely to be going anywhere for the next few decades. Or just consider all communications using URL shorteners to be ephemeral and consider the likely non-functioning in the future a security precaution against future government snooping, perhaps.

Some other takes on them from around the web that summed up some of the general thoughts I had about them (if you care about your content being usable down the road and care about whether someone could take your visitors for a ride to malware-town)

Why I'm creating my own URL shortening service "I suppose that one of the driving forces behind this is my training as an archaeologist (we don’t like throwing things away, generally, and that includes data). I can’t archive the pages I link to, but at least I can give folks in the future a better chance of finding what I’m linking to."

Thursday, July 11, 2013

I searched and didn't find a Seattle-specific Information Security calendar showing not only conferences, but smaller security events. So I created a new public one. And I guess that means now I'm maintaining one ;-)

Tuesday, July 2, 2013

As a way of background, Phil Zimmerman's company Silent Circle became wildly successful recently after Snowden's disclosures of extensive NSA data collection of telephony "metadata" and "data — including e-mails, videos, pictures, and connection logs — from the main servers of Microsoft, Google, Apple, and other leading U.S. tech companies" (1). "Mike Janke, one of the founders, estimated that the number of new customers for its subscription-based service surged by 400 percent" (2)

Mark Dowd from Azimuth Security "decided to take a brief look at the GNU ZRTPCPP library (https://github.com/wernerd/ZRTPCPP), which is a core security component of various secure phone solutions (perhaps most notably, the impressive SilentCircle suite of applications)." (3) He found several disturbing vulnerabilities in this library, including heap overflows, stack overflows, etc. that can lead to remote code execution or crashing the application. Additionally, Matthew Green found an implementation issue after a casual review.

Several applications use the same library, but most are open source free software applications. Silent Circle, however, is a commercial venture started by PGP's Phil Zimmerman. And commercial entities, especially offering a service and product set completely geared toward security and privacy should probably be expected to have an application security program and sufficient tooling and resources to validate and vet its wares. And they claimed to have had done this. However, due to the glaring bugs that were identified in the ZRTPCPP library that they mainly funded development of through its author, Werner Dittman, it is clear that their controls program to ensure security of their product is wholly inadequate and they admit as much

"[W]e audit and test our own work and pay others to audit and test it for us. Obviously, in this case, the auditing failed. It was my understanding that all of the libraries that we used were audited, as well as all of our own code. The fact that these problems were missed suggests that there is a problem with the auditing process, that either not all of the third party libraries were audited or that somehow the auditing was not rigorous. Besides developing, testing and deploying these fixes, we will also be looking into the process." (4)

When I learned the details, I wondered what can other entities that either have application security programs in place (or should) learn from this?

Even security software companies make mistakes and imperil security -- sometimes they make some doozies

So, don't assume that because a company has a security stalwart like Phil Zimmerman or that it's in the security business that it is immune from the software security problems most everyone in every organization is dealing with.

Open source does allow for "more eyes" to potentially make "all bugs...shallow" but it's not a guarantee. "open source can be reviewed by more people than proprietary software, but I don’t think it is reviewed by more people than proprietary software." (5)

ZRTPCPP code had these bugs for roughly 6 years before they were found, and there were not just security bugs but double-increment bugs in loops and other issues. Third-party dependencies need to be evaluated as part of your threat model and the same scrutiny needs to be applied as you would to your own code. Probably even more so as you also need to consider other non-technical issues with each such as third-party viability, responsiveness, etc.

Use static analysis!

Several of these bugs are trivial for static analysis tools to find. For C++ code, there's even the clang analyzer that is open source. This should be part of the build process and findings validated and hopefully fixed prior to release.

Trust, but verify your application security controls

So, you paid a chunk of change to an external party to vet your code for security issues and you got a clean bill of health. That means you can rest easy, right? Not necessarily. Absence of evidence is not evidence of absence. There are myriad reasons that an external assessment did not yield results. It could have been that the tester had inadequate experience or perhaps was not thorough enough or was just plain incompetent -- all would yield equally "impressive" results. Ideally, you should be vetting your external partners to ensure they are able to catch flaws. You could even purposefully include code with known issues as a test.

Write unit tests -- and ensure they execute as part of every build.

How can you trust code without any unit tests, or if the tests are not continuously executed to guard against new bugs being introduced, especially code that needs to accept arbitrary untrusted inputs that can be malformed in myriad ways? Looking at the github repository for the library, I see lots of application C++ code, but I don't see any folder with "test" in it. I see a couple of files in the "demos" directory with "test" in the name, but based on their function and the README, they are examples of how to use the code, not defensive tests ensuring the correct functioning of the implementation (which should include both happy path cases and negative/boundary cases).

Even if you're the best coder in the world and think you don't need tests, what about the next person to make a change to your code or the team that inherits your code for maintenance who lacks your skill and familiarity? How can you ensure correct, safe operation now and in the future without code to check your code? What if an implementation (or security) bug is found in your code? How do you validate your fix works? How do you ensure that the same issue doesn't get re-introduced later? Unit tests can do all of this for you while you sleep and your continuous integration (CI) build runs.

Security software needs to be the leader in this. If those in infosec can't write secure software and follow secure development pracices, what are the chances for the rest of us?

Fuzz your network code. (and fuzz your other code as well)

This could be a corollary of the unit test recommendation. Code expecting untrusted inputs from outside should be fuzzed with random inputs and boundary conditions to validate your parsing and buffering code is sufficiently robust against active attacks. Fuzzing can help find other test cases that your unit tests may not be covering. If you find anything -- fix it -- and write a unit test for it so you will ensure that your code will remain immune to that issue in the future.

Thursday, June 20, 2013

"You complain that our work may undermine public conﬁdence in the payments system. What will support public conﬁdence in the payments system is evidence that the banks are frank and honest in admitting its weaknesses when they are exposed, and diligent in effecting the necessary remedies. Your letter shows that, instead, your member banks do their lamentable best to deprecate the work of those outside their cosy club, and indeed to censor it."

I've had it on my TODO list to resurrect my blog posts and import into Blogger and finally started doing it. So, you'll see lots of former posts coming back. I'm trying to review each one and clean up any formatting issues or easy to fix broken links or images.

My incentive was that summer is here, but I could not find the recipe for My New Concoction: The Adele Claire. And I'm also going to be crafting a new creation in honor of my son. Now it is back so enjoy an Adele Claire and read some history ;-)

Thursday, February 28, 2013

I've been taken aback lately by a variety of claims on blogs and twitter of someone "harassing" someone else or "stalking" them. People seem to throw these words out so cavalierly that they are in serious danger of being devalued; watered down so that they have no substantive meaning.

I wanted to do my own research to provide those who might be tempted to throw these words out in casual assertions with some clear definitions and some tools you could use to perhaps determine if certain behaviors rise to the level of actual "harassment" or "stalking" before using those terms.

Many states, including my own, have passed laws where these terms have been given specific meanings that can help provide some guidance (although many I have seen are still problematic in an operational sense as they are fairly vague and do not differentiate between "annoying" and outright "harassing" behavior).

Okay, that is not very helpful in terms of distinguishing between behavior that is socially and morally acceptable from the abusive kind of behavior. What causes behavior to rise to the level of harassment vs. mere annoyance?

My own state of Washington defines an "unlawful harassment" term thusly[1]:

"Unlawful harassment" means a knowing and willful course of conduct directed at a specific person which seriously alarms, annoys, harasses, or is detrimental to such person, and which serves no legitimate or lawful purpose. The course of conduct shall be such as would cause a reasonable person to suffer substantial emotional distress, and shall actually cause substantial emotional distress to the petitioner, or, when the course of conduct would cause a reasonable parent to fear for the well-being of their child.

California was one of the first states to pass online harassment legislation and this is their definition[2]:

"Harassment" means a knowing and willful course of conduct directed at a specific person that a reasonable person would consider as seriously alarming, seriously annoying, seriously tormenting, or seriously terrorizing the person and that serves no legitimate purpose.

The key distinctions of harassment over just annoying behavior are:

willful (speaks to the intent of the actions)

directed at a particular individual

seriousness or severity of the conduct (typically "torments" or "terrorizes" the individual)

serves no legitimate or lawful purpose

causes"substantial" emotional distress

Cyberstalking is a flavor of harassment that "generally refers to a clear pattern of conduct through which the perpetrator causes the victim reasonable fear for their safety or their family's safety."[4] Not all states have statutes covering both of these flavors and many include just one or the other or lump both in together.[5]

(1) A person is guilty of cyberstalking if he or she, with intent to harass, intimidate, torment, or embarrass any other person, and under circumstances not constituting telephone harassment, makes an electronic communication to such other person or a third party:
(a) Using any lewd, lascivious, indecent, or obscene words, images, or language, or suggesting the commission of any lewd or lascivious act;
(b) Anonymously or repeatedly whether or not conversation occurs; or
(c) Threatening to inflict injury on the person or property of the person called or any member of his or her family or household.

So, my state differentiates cyberstalking different from plain harassment:

requires a particular intent

requires an electronic (but not telephone) communication

requires the content to be of a nasty nature OR

requires making a threat to the person or property or relations

I'm not going to drag up any specific twitter or blog examples of people devaluing harassment (you know who they (or you) are). But will generally point out that flaming someone or mentioning someone on twitter or a blog would not rise to the level of

But some of the actions that I've seen documented would appear to meet (IANAL) some (or more) of the legal criteria. Such as photoshopped obscene pictures of the individuals being criticized, and perhaps the practice of doxing people that you disagree with (which only seems to serve the purpose of intimidating the individual by exposing their physical and personal information).

Anyhow, the legal language still does not make it quite clear where to draw the line between annoying someone and harassing. Stalking may be clearer, although I don't quite understand how the term "stalking" applies based on the way the legal language is written. What is more useful is a heuristic tool to gauge someone's words and actions. One such tool was mentioned on a Linkedin discussion forum that is claimed to originate from the University of Alberta[6]. I tried to find the primary source material for the tool as I think it is a good one, but have yet to find it. I will quote it here for posterity and will add pointers to the original if it ever comes to light. The tool is called R.A.T.E.:

Respect - Is this behaviour respectful? Does this behaviour honour the dignity and the worth of the person? Does the behaviour recognize and appreciate differences - culture, viewpoint, age, status etc.?

Appropriate - Is the behaviour appropriate to the situation and to the relationship between the individuals?

Trust - Many relationships are relationships of trust - e.g. the relationship between a professor and student or between an employee and manager. Is the behaviour a violation of the trust?

Equal - What is the power balance in the relationship? Are the individuals equals? Is the behaviour exploiting a difference in power? Would an objection to the behaviour threaten the well-being of the person to whom the behaviour is directed?

I like that this model includes an assessment of the relative power of the individuals involved. There is a note that a single incident would not rise to the level of harassment. Harassment would generally need to involve a pattern of behavior.

Wednesday, February 27, 2013

I used to have a blog. I used to opine in it. Oh those days of yesteryear before kids when I had such luxuries of time... I let my blog languish. It devolved into my personal bookmark tool. It didn't have a good focus. It was called "Juxtaposition", after all, which is by its nature not focused. I had a missed opportunity to call it "Jaxtaposition" since my network handle was often "jaxley" -- a kind of portmanteau of my name. But I have even found since then that neither were as unique or compelling as I had thought.

I have long wanted to have a place that could serve as my sounding board for sharing insights or tips regarding information security as well as skepticism and science. This is the focus my previous effort lacked. I plan to tag each post separately so if it turns out you really don't care about skepticism, you can just subscribe to the "security" tagged items. And vice-versa, you could just subscribe to the "skeptical" tags.

I get a lot from detailed articles and in-depth insights and wanted to be able to give back to some extent. This will be my vehicle to do so.

Coming up with a name was a combination of frustration and humility in that so many of the names I thought of were not just inspiring to me but had been used already or were too common to stand out. I wanted something that would embody what my I've come to see is a core moral imperative: to seek the truth, no matter where it leads, and to stamp out falsehood and ignorance as the enemies of truth. Hence, "The Truth Imperative" seemed to embody this perfectly and was also was not crowded out in the Google search rankings. In fact, even before I posted the first article, this blog is result number 7 on Google.

If you were on the fence about the moral angle to the truth, perhaps the analogy in this quote will make the relationship clearer:

It is morally as bad not to care whether a thing is true or not, so long as it makes you feel good, as it is not to care how you got your money as long as you have got it. -- Edmund Way Teale

There is something inside me that is outraged by truth injustices as much as social injustice. Falsehoods are so corrosive to our democracy, our environment, our health, to our freedoms, our safety, our own personal growth, and our understanding of the world around us. I came across this blog post, The reason for truth, sets out a fantastic list of reasons why the truth matters that I heartily endorse and says much of what I was going to write so go read it instead and then come back. He lays down his position on truth which jives completely with mine that I will quote here:

In a strict sense, all truth is provisional and stands open to challenge on the basis of a new interpretation of the available evidence or the provision of new evidence. The key point here is that it is evidence - old or new - that is at the heart of the determination.

In the meanwhile, the most truthful statements explain and are consistent with all the currently available evidence.

On the basis of consistency and utility, the most truthful statements are likely to be consistent with the current paradigm until persuasive evidence challenges that paradigm.

The most useful truths are those that do simply explain past phenomena but enable consistently accurate statements about the future.

I would only perhaps add some bullets to the list regarding protection of the truth from corrosive influences, whether subconscious or deliberate.

Additionally, I would clarify that this pursuit of truth is all about truth with a small "t". Many make the false assumption that there is (or must be) some metaphysical Truth with a capital "T" out there and even claim that skeptics or scientists think they "know the truth" or "know everything". Not only are these flimsy straw men, but skeptics and scientists generally do not believe that such a Truth is something we are going to be able to know for certain. Truth, and especially scientific truth, is always truth with a small "t". It is a provisional, asymptotic approximation of the Truth with a capital "T", or at least a usable model of that Truth that works well enough to make predictions and describe and understand our world.

As humans, we are fettered by various human frailties, biases and tendencies toward rationalization that make it often times difficult to step back and be truly objective about ourselves, our beliefs, the world and the facts that we attempt to evaluate. Our brains are constantly filtering and interpreting the information we receive via all of our senses. We all (skeptics included) need to be aware of and constantly diligent about these limitations as well in our pursuit of the truth. I've seen ideology trump facts and data too often in all walks of life. Follow the evidence!

Q: "What do you call alternative medicine that works?"
A: "Medicine"

I love this joke. It is pithy and gets to the heart of the difference between a prevalent topic where people have many rationales that lead them to relaxing the standards for reason and evidence to give something not rooted in demonstrable, testable, measurable facts a seat at the table next to something that is.

Reason and evidence are crucial as well for my vocation, information security. I have come across so many terrible arguments, both for and against, security controls as well as people who try to use security as a trojan horse to deliver something rooted in ulterior motives that would otherwise have never been green-lighted, or who use security as a sword to strike down something they don't like for other reasons (often unjustifiable or flimsy at best). Intellectual dishonesty, sloppy scholarship, fallacious argumentation, rationalization, cognitive dissonance all occur so often that it is useful and necessary to engage one's skills as a skeptic to get at the kernel of truth and ensure you are making the right evidence-based decisions, lest you convey a false sense of security, waste precious security budget on the wrong (or incomplete or ineffectual) solutions, or miss out on focusing on more important security problems. I think I've made a career out of being the voice of reason calling out for demonstrable evidence where necessary to prove an assertion or in redirecting efforts to address higher risk vulnerabilities than the hack-du-jour. I'll definitely write more about those experiences.

Wherever those pesky facts lead us is worthy of pursuit and protection from those who would undermine reality for pursuit of their own alternative agenda. There are the aforementioned who abuse the truth about information security to push a competing agenda, religious fundamentalists who are adulterating the educational system, global warming deniers preventing real change to stem the damage and research solutions to anthropogenic forcing, ideologues, quacks and charlatans who peddle remedies that simply don't work (except to drain your bank account) or worse, are highly dangerous or keep people from continuing with real therapies, religious fundamentalists that keep their kids from receiving medical care in lieu of prayer, etc. Visit http://whatstheharm.net/ for specific documented examples of the real harms of pseudoscience.

I leave you for now with some of my favorite quotes regarding the pursuit and importance of truth:

Truth is a shining goddess, always veiled, always distant, never wholly approachable, but worthy of all the devotion of which the human spirit is capable. -- Bertrand Russell

The pursuit of truth and beauty is a sphere of activity in which we are permitted to remain children all our lives. -- Albert Einstein

Truth is stranger than fiction, but it is because Fiction is obliged to stick to possibilities; Truth isn't. -- Mark Twain

The truth may be puzzling. It may take some work to grapple with. It may be counterintuitive. It may contradict deeply held prejudices. It may not be consonant with what we desperately want to be true. But our preferences do not determine what's true. -- Carl Sagan

I maintain there is much more wonder in science than in pseudoscience. And in addition, to whatever measure this term has any meaning, science has the additional virtue, and it is not an inconsiderable one, of being true. -- Carl Sagan

The significance of our lives and our fragile planet is then determined only by our own wisdom and courage. We are the custodians of life's meaning. We long for a Parent to care for us, to forgive us our errors, to save us from our childish mistakes. But knowledge is preferable to ignorance. Better by far to embrace the hard truth than a reassuring fable. If we crave some cosmic purpose, then let us find ourselves a worthy goal. -- Carl Sagan

If I could get the world to respond to one question, it would be, Do we have the courage to let go of our beliefs in order to grab on to what is true? -- Sara Mayhew